June 2017 35 Internal audItor
68% of audit stakeholders in the banking sector encourage culture audits, but only 32% of
internal audit functions perform them, according to an IIA Financial Services Audit Center quick poll.
judgment and communicating appropriately with their clients.
Scope and TechniqueS
The most comprehensive culture audits
combine hard and soft control testing
at a variety of levels. For example:
» Audits of entity-level governance and risk management
structures and activities.
» Audits of processes with significant cultural influence such as
ethics training, incentives, and
human resource practices.
» Cross-functional thematic audits
such as culture of compliance
and management initiatives.
» Cultural auditing embedded in
every audit project.
Audit results should include hard
evidence where it applies, as well as
the results of interviews and other self-assessment techniques. All audit evidence should be correlated and analyzed
until reasonable and persuasive statements about culture emerge. Conclusions should be discussed and modified,
if appropriate, at all levels before they
are finalized. Internal audit techniques
that have proven effective for auditing
culture are root cause analysis, structured interviews, employee surveys, and
Root cause analysis is basic-to-good internal auditing. Pushed deeply
enough, the root cause of an audit
issue is often cultural. It might be a
disconnect between the desired overall
culture and the subculture created by
a manager. Or it might be pervasive.
“Connecting the dots” from numerous
audits can create persuasive evidence of
an issue in the overall culture.
Structured interviews enable internal auditors to ask a sample of
employees the same questions. For
example, to determine whether a “
culture of compliance” exists in his company, a CAE personally interviews 65
of the 1,000 employees. He starts with
simple questions to set each employee
at ease and later gets into sensitive
questions like, “Have you ever been
asked to do anything that you believe
violates the code of business conduct
or company policies?”
The SubjecTiviTy of culTure
culture is inherently subjective. So how can internal auditors obtain objective evidence about something that is, itself, subjective? The answer is the evidence obtained in audit- ing culture doesn’t have to be as objective as the evidence obtained in auditing hard controls. The applicable International Standards for the Professional Practice of Internal Auditing
(1100, 1120, 2310, 2320, and 2420) do not require objective evidence. To summarize what the
Standards say, internal auditors must identify the best attainable information about the culture
through the use of appropriate engagement techniques. This information must be factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as
the auditor. internal auditors must base their conclusions and engagement results on appropriate analyses and evaluations. Their reporting of results must be fair, impartial, and the result of
a balanced assessment of all relevant facts and circumstances.
To comply with the Standards, internal auditors typically use a combination of objective
and subjective evidence, evaluate it objectively, and “connect the dots” about the culture in
a way that is persuasive. They are careful not to conclude more firmly than the evidence supports, and they present results as giving perspective into the culture rather than stating audit
opinions or ratings.
This technique is more objective
than unstructured interviews because
one set of questions and one skilled
interviewer bring consistency to the
process. It does, however, require a high
level of interviewing skills to detect
when someone’s positive answer isn’t
what the person is really thinking and
ask the right follow-up questions. It
also relies on the interviewer’s understanding of what was said and the
willingness of upper management to
believe its accuracy.
Employee surveys have the advantages of gathering evidence from a large
sample of employees and producing
objective data. The most common survey technique for internal auditors is
asking employees to respond to a series
of statements by indicating whether
they strongly agree, agree, disagree, or
strongly disagree with each statement,
with an option like “not applicable” or
“don’t know” off to the side and not
factored into the results. The audit
report can then state, for example, that
“ 46 percent of responding employees
disagreed or strongly disagreed with the